Tweets posted through Twitter's ads platform, even non-ads scheduled tweets, will show up as normal twitter web posts.

And approved partners can use the corresponding API to post this way.

I've not checked twitter api docs but I've seen stuff like "Posted from: Zombo smart fridge" and was under the impression an app could fill that field in with whatever they like.

No, it's the name of the app, which undergoes Twitter review.

Nope, it's definitely not pre-reviewed https://www.reddit.com/r/ProgrammerHumor/comments/atlayx/how...

It is now. Twitter has made all new apps by application only. A bunch of folks lost their “just for one” ones last year to this.

Its not hard to fathom that someone who was able to pull off a hack like this could have also found a way to mess with the metadata there.

It kinda is, if the premise is "they hacked a 3rd party app"

Parent takes the posted-from metadata as absolute truth.

I say it can't be relied upon when an active & involved hack is underway.

You provide nothing of value. What do you think this entire thread is, but for idle speculation?

But is it necessarily true that the authentication token was generated with the same app used to post the tweets?